Skip to content

Refresh package specs for spec-audit mismatches and stale README coverage#44564

Open
pelikhan with Copilot wants to merge 2 commits into
mainfrom
copilot/spec-librarian-audit-update-2026
Open

Refresh package specs for spec-audit mismatches and stale README coverage#44564
pelikhan with Copilot wants to merge 2 commits into
mainfrom
copilot/spec-librarian-audit-update-2026

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This addresses the spec-audit findings for package README drift: importinpututil had an incorrect dependency contract, linters was missing the bytescomparestring analyzer, and several package specs were stale relative to current code. The update refreshes those package-level specifications without changing implementation behavior.

  • Critical spec fixes

    • Correct pkg/importinpututil dependencies to include pkg/logger
    • Add bytescomparestring to the pkg/linters overview, subpackage API table, and dependency listing
  • Stale spec refreshes

    • Update package READMEs to match current behavior in:
      • pkg/syncutil
      • pkg/github
      • pkg/actionpins
      • pkg/agentdrain
      • pkg/repoutil
      • pkg/semverutil
      • pkg/cli
      • pkg/constants
  • Workflow spec alignment

    • Extend pkg/workflow/README.md to document checkout configuration types and the checkout.safe-outputs-github-app auth path used only for safe_outputs git operations
  • Representative spec correction

    ## Dependencies
    
    **Internal**:
    - `github.com/github/gh-aw/pkg/logger` — package-scoped debug logging

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix stale specifications in package audit report Refresh package specs for spec-audit mismatches and stale README coverage Jul 9, 2026
Copilot AI requested a review from pelikhan July 9, 2026 14:39
@pelikhan pelikhan marked this pull request as ready for review July 9, 2026 18:08
Copilot AI review requested due to automatic review settings July 9, 2026 18:08
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #44564 does not have the 'implementation' label and has only 29 new lines of code in business logic directories (threshold: 100).

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Test Quality Sentinel completed test quality analysis.

No test files were added or modified in this PR. All changed files are README.md documentation updates. Test Quality Sentinel skipped.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

⚠️ PR Code Quality Reviewer failed during code quality review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request refreshes package-level README specifications to resolve spec-audit mismatches and bring documentation back in sync with current gh-aw behavior (no implementation changes).

Changes:

  • Document pkg/workflow checkout configuration types and clarify safe-outputs-github-app auth behavior for safe_outputs.
  • Fix spec mismatches (e.g., importinpututil internal dependency on pkg/logger, and linters coverage for bytescomparestring).
  • Refresh multiple package READMEs with behavior notes that now match current implementations.
Show a summary per file
File Description
pkg/workflow/README.md Adds documented CheckoutConfig / CheckoutManager API surface and clarifies safe_outputs-only GitHub App auth behavior.
pkg/syncutil/README.md Documents OnceLoader.Override caching semantics.
pkg/semverutil/README.md Specifies invalid-version handling behavior for IsCompatible.
pkg/repoutil/README.md Documents NormalizeRepoForAPI host parsing behavior.
pkg/linters/README.md Adds bytescomparestring analyzer to package overview/table/dependencies.
pkg/importinpututil/README.md Corrects internal dependency contract to include pkg/logger.
pkg/github/README.md Clarifies PriorityLabels behavior for "first" multi-label logic.
pkg/constants/README.md Notes local/remote default GitHub tool list split and DefaultGitHubTools deprecation alias.
pkg/cli/README.md Describes non-Cobra reusable helpers exposed by the CLI package.
pkg/agentdrain/README.md Documents embedded default weights under data/ for bootstrapping.
pkg/actionpins/README.md Adds note about PinContext.Warnings usage for mapping/warning deduplication.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 11/11 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread pkg/actionpins/README.md
// reference resolves against acme-corp/checkout@v4 pins
```

Because `PinContext.Warnings` is used for one-time mapping diagnostics, callers that reuse a `PinContext` SHOULD initialize it with a non-nil map when they want warning deduplication.
@github-actions github-actions Bot mentioned this pull request Jul 9, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation-only PR. All claims verified against implementation:

  • pkg/importinpututil — critical fix: removed false 'no dependencies' claim; pkg/logger import confirmed in source.
  • pkg/linters — bytescomparestring subpackage exists; bullet list, API table, and dependency list all consistently updated.
  • pkg/github — PriorityLabels behaviour matches computeValueFirst exactly (iterates issue labels in order, falls back to first matching value).
  • pkg/workflow — CheckoutConfig/CheckoutManager types exist; safe-outputs-github-app description matches SafeOutputGitHubApp field semantics; sparse-pattern union and HasAppAuth confirmed.
  • All other stale-spec additions (syncutil, repoutil, semverutil, agentdrain, cli, constants, actionpins) are accurate.

No blocking issues found.

🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 54.1 AIC · ⌖ 6.18 AIC · ⊞ 4.8K

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skills-Based Review 🧠

Applied /grill-with-docs — requesting changes on three precision issues found in the new spec text.

📋 Key Themes & Highlights

Key Themes

  • Auth model description: pkg/workflow/README.md line 127 implies github-token, github-app, and safe-outputs-github-app are mutually exclusive, but only the first two are; the third is orthogonal and composable.
  • Fallback precision: pkg/github/README.md line 115 describes the "first" fallback as "first matching label" but the code returns matchingValues[0] — the first collected match, which may differ from first-in-issue-order.
  • nil-ctx safety: pkg/actionpins/README.md line 95 recommends callers initialise Warnings without noting that nil ctx is already safe (auto-allocated internally), which could mislead callers.

Positive Highlights

  • ✅ Critical dependency correction in pkg/importinpututil/README.md — the old "no dependencies" claim was clearly wrong and this fix aligns spec with reality.
  • bytescomparestring additions to pkg/linters/README.md are thorough: overview list, API table, and dependencies all updated in lock-step.
  • ✅ All other stale spec refreshes (syncutil, semverutil, repoutil, agentdrain, constants, cli) are accurate and verify cleanly against the implementation.
  • ✅ Good discipline throughout: purely additive changes, no behavior-altering edits.

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 125.1 AIC · ⌖ 9.15 AIC · ⊞ 6.6K
Comment /matt to run again

Comment thread pkg/workflow/README.md

#### Checkout configuration

The `checkout:` frontmatter key is parsed by `ParseCheckoutConfigs` into one or more `CheckoutConfig` values. Each entry may target the current repository or a cross-repository checkout, and supports authentication via either `github-token`, `github-app`, or `safe-outputs-github-app`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] The phrase "supports authentication via either github-token, github-app, or safe-outputs-github-app" implies all three options are mutually exclusive, but the code shows they are not — safe-outputs-github-app is independent and can coexist with github-token or github-app.

💡 Suggested rewording
supports authentication via `github-token` or `github-app` (mutually exclusive) and optionally `safe-outputs-github-app` for safe_outputs git operations.

From checkout_manager.go, github-token and github-app block each other (first-seen wins), while safe-outputs-github-app has its own independent first-seen rule and can co-exist in the same entry.

@copilot please address this.

Comment thread pkg/github/README.md
- All label comparisons are case-insensitive: labels are normalised with `strings.ToLower(strings.TrimSpace(...))` before lookup.
- The default `MultiLabelLogic` is `"max"`. Callers that do not set this field get max-value semantics automatically.
- `PriorityLabels` is only consulted when `MultiLabelLogic` is `"first"`; it establishes evaluation precedence among matching labels.
- `PriorityLabels` is only consulted when `MultiLabelLogic` is `"first"`; the implementation walks the issue's labels in their existing order and returns the first label that also appears in `PriorityLabels`, falling back to the first matching label if no priority entry matches.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] The new design note describes iteration order as "walks the issue's labels in their existing order" — this accurately reflects the code, but the fallback condition is slightly imprecise: it returns the first label from matchingValues (positional in the matched list), not the first matching label in issue-label order.

💡 Suggested rewording
- `PriorityLabels` is only consulted when `MultiLabelLogic` is `"first"`; the implementation walks the issue's labels in their existing order and returns the value for the first label that also appears in `PriorityLabels`. If no priority entry matches, it falls back to the value of the first label from the `LabelToValue` map that matched any issue label.

See computeValueFirst in label_objective_mapping.go — the fallback is matchingValues[0], which is the first element collected during the matching scan, not necessarily the first label in issue order.

@copilot please address this.

Comment thread pkg/actionpins/README.md
// reference resolves against acme-corp/checkout@v4 pins
```

Because `PinContext.Warnings` is used for one-time mapping diagnostics, callers that reuse a `PinContext` SHOULD initialize it with a non-nil map when they want warning deduplication.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] The SHOULD recommendation here is slightly misleading — callers that pass nil for ctx are safe because ResolveActionPin allocates a fresh PinContext in that case, and initWarnings auto-initialises the map on first use. The real risk is only for callers who pass a non-nil PinContext with a nil Warnings field and then reuse it across calls that exercise the Mappings path.

💡 Suggested rewording
Because `PinContext.Warnings` is used for one-time mapping diagnostics, callers that supply a non-nil `PinContext` and reuse it across multiple `ResolveActionPin` calls that exercise `Mappings` SHOULD initialise `Warnings` with a non-nil map. Passing `nil` as `ctx` is always safe: the function allocates a fresh context internally.

@copilot please address this.

Comment thread pkg/workflow/README.md

- `github-app` changes the authentication used by the generated `actions/checkout` step itself.
- `safe-outputs-github-app` mints a GitHub App token only for later `safe_outputs` git operations (fetch/push) against the checkout target; it does **not** change activation or agent-job checkout authentication.
- `CheckoutManager` merges compatible checkout requests, unions sparse-checkout patterns, and tracks whether any checkout requires GitHub App token minting.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[/grill-with-docs] "tracks whether any checkout requires GitHub App token minting" is accurate but undersells what CheckoutManager does — it also resolves and deduplicates overlapping checkout requests and generates deterministic step plans.

💡 Suggested addition
- `CheckoutManager` merges compatible checkout requests, unions sparse-checkout patterns, deduplicates overlapping repo/ref pairs, and tracks whether any checkout requires GitHub App token minting for later safe_outputs operations.

See checkout_manager.go — the Merge logic handles deduplication and the public API surface goes beyond just tracking the app flag.

@copilot please address this.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two documentation accuracy issues found

This PR refreshes 11 package READMEs — the majority of changes are accurate and well-matched to the current source. Two issues need attention.

Verified accurate: pkg/github, pkg/syncutil, pkg/semverutil, pkg/repoutil, pkg/workflow, pkg/actionpins, pkg/agentdrain, pkg/importinpututil, pkg/cli — all checked against source.

See inline comments for the two issues.

🔎 Code quality review by PR Code Quality Reviewer · 227.1 AIC · ⌖ 6.68 AIC · ⊞ 5.4K
Comment /review to run again

Comment thread pkg/linters/README.md
| Subpackage | Description |
|------------|-------------|
| `appendbytestring` | Custom `go/analysis` analyzer that flags `append(b, []byte(s)...)` calls where `s` is a string that can be simplified to `append(b, s...)` |
| `bytescomparestring` | Custom `go/analysis` analyzer that flags `string(a) == string(b)` / `!=` comparisons on `[]byte` values that should use `bytes.Equal` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inaccurate fix guidance for != comparisons: the description says both == and != comparisons "should use bytes.Equal", but != requires !bytes.Equal(a, b)bytes.Equal alone inverts the semantics.

💡 Suggested correction

Current text:

`bytescomparestring` — reports `string(a) == string(b)` and `string(a) != string(b)` comparisons where `a` and `b` are `[]byte` values that should use `bytes.Equal`.

Suggested:

`bytescomparestring` — reports `string(a) == string(b)` and `string(a) != string(b)` comparisons where `a` and `b` are `[]byte` values; use `bytes.Equal(a, b)` for `==` and `!bytes.Equal(a, b)` for `!=`.

A developer consulting this README and applying the bytes.Equal suggestion to a != comparison would silently negate the condition, introducing a logic bug. The same inaccuracy appears in both the bullet list and table entry — both should be corrected.

Comment thread pkg/constants/README.md
- Version constants are intentionally plain string literals (not derived from build tags or embedded files) so that individual upgrades can be made as targeted one-line changes.
- `GetWorkflowDir()` reads `GH_AW_WORKFLOWS_DIR` from the environment at call time, allowing the directory to be overridden in tests and CI.
- `AgenticEngines` is deprecated in favour of `workflow.NewEngineCatalog(workflow.NewEngineRegistry()).IDs()` but is kept for backward compatibility.
- Default GitHub tool lists are split into local and remote variants; `DefaultGitHubTools` remains as a deprecated compatibility alias for callers that have not yet switched to the explicit local/remote names.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Misleading claim: "split into local and remote variants" implies behavioral divergence, but DefaultGitHubToolsLocal and DefaultGitHubToolsRemote currently both alias DefaultReadOnlyGitHubTools — they are identical in value today.

💡 Suggested correction

The constants source explicitly comments that they are "currently identical" with potential to diverge. The README should match this reality:

- `DefaultGitHubTools` is a deprecated compatibility alias for `DefaultGitHubToolsLocal` (which is itself currently identical to `DefaultGitHubToolsRemote`); callers should switch to the explicit local/remote names to be ready for future divergence.

The current wording implies the split already carries meaning, which could lead callers to assume they get different tool sets per mode when they do not.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address any remaining feedback from the latest automated reviews, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 7.39 AIC · ⌖ 6.38 AIC · ⊞ 4.7K ·
Comment /souschef to run again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[spec-librarian] Specification Audit — 2026-07-09 — 16 issues found

4 participants